Colorado’s new comprehensive consumer privacy law, the Colorado Privacy Act (CPA), will take effect on July 1, 2023. Earlier this year, the Colorado Attorney General’s Office (“AG”) finalized its yearlong rulemaking process, issuing final regulations and an FAQ.
We previously described the key components of the CPA when the legislation was introduced. As enacted, the main points are:
Application. The CPA imposes obligations on “controllers” that conduct business in Colorado, or intentionally target commercial products or services to Colorado residents, and satisfy either of the following thresholds: (1) control or process the personal data of at least 100,000 Colorado consumers or (2) derive revenue or obtain discounts from selling the personal data of at least 25,000 Colorado consumers. Importantly, the CPA does not exempt nonprofits and has no required revenue threshold the controller must meet before the CPA applies (for example, a threshold of annual gross revenues of greater than $25 million).
Exceptions. The CPA broadly exempts categories of data subject to certain other laws. For example, the CPA does not apply to data protected by HIPAA. Additionally, the CPA applies only to the data of Colorado residents acting as consumers in an individual or household context, but not in a commercial or employment context or as a job applicant.
Requirements. The CPA has many detailed provisions imposing new duties on controllers, and affording new rights to consumers, relating to consumers’ personal data. “Personal data” is defined as information that is linked or reasonably linkable to an identifiable individual and is not de-identified or publicly available. Although some CPA requirements are familiar from other similar state data privacy laws, the CPA and its regulations also include some fairly novel requirements for consumer data. For example, the CPA provides that controllers shall not process personal data in violation of state and federal antidiscrimination laws. Additionally, the CPA requires controllers to conduct “data protection assessments” of data processing that “presents a heightened risk of harm to a consumer” and make the assessment available to the Colorado AG upon request. The Colorado AG, Phil Weiser, has indicated he expects CPA-required undertakings, such as data protection assessments, to employ a thoughtful, principle-based approach and not merely be a “check the box” approach to compliance.
Enforcement. The Colorado AG and local district attorneys have sole authority to enforce the CPA. There is no private right of action for private citizens to bring suit to enforce it. Until January 2025, there is also a right to cure under the CPA, meaning that if the Colorado AG or local district attorneys determine that a violation can be remedied, the controller must be given 60 days to cure the violation before action is taken against it. The Colorado AG’s office has received numerous questions regarding CPA compliance and is building an education program that will include expanding on the FAQ list and providing additional educational materials. We recommend signing up for the Colorado AG’s CPA distribution list so any trainings or other opportunities for engagement aren’t missed.
Impacted companies doing business in Colorado should be prepared to comply with the CPA and its accompanying regulations. Additionally, separate Colorado statutes governing data security, data disposal and data breach reporting requirements remain on the books. Now is the time to ensure that internal compliance plans are up to date.
This document is intended to provide you with general information regarding the Colorado Privacy Act. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.